Walter Conway reports on StoreFront BackTalk that while the PCI Security Council has declined to officially certify any mobile payment apps, some leading acquirers are approving mobile payment applications on their own and offering them to their merchants.
Points out Schuman, Visa’s mandate allows acquirers this freedom: while use of PA-DSS validated payment applications “is recommended, a payment application need not be included on Visa’s list of PABP validated payment applications or PCI SSC’s list of PA-DSS validated payment applications in order to comply with Phase 2, Phase 3 and Phase 5 requirements for use of PA-DSS compliant applications.... Acquirers may determine the PA-DSS compliancy of a payment application through alternate validation processes, which should confirm that payment applications meet PA-DSS requirements and should facilitate compliance with the PCI DSS.”
So an acquirer can support new technologies for its merchants, build customer loyalty, and thus make it harder for the merchants to switch acquiring banks. Down the road the acquirers or the merchants will have their PA-QSAs formalize the certification findings into a Report on Validation (ROV) that can be submitted to the PCI Council.